Method and system for defining a safe storage area for use in recovering a computer system

ABSTRACT

A method for defining an area to record changes made to a computer system is disclosed. The method includes defining a safe area on a primary storage device of the computer system and storing information on the location of the safe area on a secondary storage device. The method further includes booting the computer system utilizing a backup device and changing data on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device.

BACKGROUND OF THE INVENTION

The present invention relates generally to recovering a computer system, and more particularly, to a system and method for defining a safe quarantine area on a disk for use in storing information about changes made to the disk during a virus cleaning operation. The information is used to recover data if the computer system is corrupted during cleaning of the system for viruses.

A huge surge in computer viruses has occurred in the last decade. Computer viruses have gone from an academic curiosity to a persistent, worldwide problem. Today, viruses affect vast numbers of computers in locations throughout the world. A computer virus is generally a manmade destructive computer program or code that is loaded onto a computer system without the knowledge of the user. The computer virus is often a self-replicating program containing code that explicitly copies itself and can infect other programs by modifying them or their environment. Even a simple virus can be dangerous as the virus can quickly use a large portion of the available memory and possibly bring down the computer system.

Viruses can be written for, and spread on, virtually any computing platform. A virus can infect, or become resident in almost any software component, including an application, operating system, system boot code, or device driver. Computer viruses spread by attaching themselves to other programs (e.g., word processing or spreadsheet applications) or to a boot sector of a disk. When an infected file is activated or executed, or when the computer is started from an infected disk, the virus is also executed and attempts to infect other files. Since a virus is software code, it can be transmitted along with any legitimate software that enters the computer environment.

The term virus generally refers to any destructible or harmful program or code that attempts to hide its possibly malicious function or tries to spread onto as many computers as possible. One common type of virus is a macro virus which is encoded as a macro embedded in a document. Many applications support macro languages which allow the user to embed a macro in a document and have the macro execute each time the document is opened. Once a computer system is infected with a macro virus, the virus can embed itself in all future documents created with the associated application.

Another common virus is a boot sector virus which replaces the computer system's master boot record with its own code. The boot sector virus is a small program executed each time a computer boots. The virus infects floppy disks and hard disks by inserting itself into the boot sector of the disk, which contains code that is executed during the system boot process. Since the master boot record executes every time the computer is started, the boot sector virus can be very dangerous to the integrity of the computer system. The boot sector virus typically enters the computer system through a floppy disk installed in the floppy drive when the computer system is started. Other types of viruses include polymorphic virus, Trojan horse, and computer worm.

Many anti-virus programs have become commercially available for protection against viruses. There are three main types of anti-virus software: activity monitors, integrity checkers, and scanners. Activity monitoring programs attempt to prevent infection before it happens by looking for virus type activity, such as attempts to reformat a disk. Integrity checkers compute a small checksum or hash value for files which are presumably uninfected, and later compare newly calculated values with the original ones to see if the files have been modified. These programs catch unknown viruses as well as known ones. Integrity checkers may be called to check entire disks or they may be resident, checking each program that is about to be executed.

Scanners are the most widely used type of anti-virus program. Virus scanners generally operate in batch mode, scanning all files on a system, hard disk, or floppy disk, when requested by the user, or at set intervals. They look for known viruses by searching disks and files for scan strings or patterns. A scanner may be designed to examine specified disks or files on demand, or it may be resident, examining each program that is about to be executed. Most scanning programs include an update feature that allows the anti-virus program to download profiles of new viruses from the Internet so that the program can check for new viruses soon after they are discovered. Most scanners also include virus removers which are operable to clean infected files. One example of an anti-virus scanner is McAfee's VSHIELD.

A virus scan may be performed, for example, on a volume boot sector, such as an NTFS (NT File System) boot sector. The volume boot sector is created when a high-level format of a hard disk partition is performed. The volume boot sector includes a disk parameter block which contains information that is used by the operating system to determine where other internal structures of the partition are located. The boot sector's code is executed directly when the disk is booted, thus making it a favorite target for virus writers. The virus scan is typically performed on the hard drive with the system booted using a backup operating system. If infected files are found during the virus scan, a cleaning operation is performed. However, since the disk is being accessed without the use of the primary operating system, there is a risk of corrupting the data. For example, the infected disk may have been operable prior to cleaning but is no longer able to boot the computer system. If the data is corrupted during the cleaning process it may be necessary to return the computer system to the state it was in before cleaning of the disk was attempted, so that data on the disk is accessible. This requires that changes made during the cleaning operation be recorded so that the changes can be reversed, if required. Since these changes may be extensive, it is unlikely that they would fit onto a floppy disk or other removable storage device.

There are also other changes that may be made to the computer system, such as system upgrades or patches, which may require modification to data on a computer hard drive while the system is booted using a backup operating system.

There is, therefore, a need for a method and system for defining a safe area on the disk being modified to store changes made to the disk to return the computer system to the state it was in before the changes were made.

SUMMARY OF THE INVENTION

A method for defining an area to record changes made to a computer system is disclosed. The method generally comprises defining a safe area on a primary storage device of the computer system and storing information on the location of the safe area on a secondary storage device. The method further includes booting the computer system utilizing a backup device and changing data on the primary storage device. The changes are recorded in the safe area of the primary storage device and are accessible when the computer system is booted from the backup device.

The changes may include, for example, changes made during a virus cleaning operation, system upgrade, or patch installation.

A computer program product for defining an area to record changes made to a computer system generally comprises computer code that defines a safe area on a primary storage device of the computer system and stores information on the location of the safe area on a secondary storage device. The product further includes computer code that boots the computer system utilizing a backup device and changes data on the primary storage device and computer code that records changes made to the primary storage device in the safe area of the primary storage device. The recorded changes are accessible with the computer system booted from the backup device. A computer readable medium is provided to store the computer codes.

In another aspect of the invention, a method for restoring a computer system to a pre-virus cleaning configuration generally comprises booting a computer system utilizing a backup operating system, scanning a primary storage device for viruses, and cleaning the primary storage device of viruses identified during scanning. The changes made to the primary storage device during cleaning are recorded in a predefined area of the primary storage device. The method further includes attempting to boot the computer system utilizing the primary operating system and restoring at least a portion of the primary storage device to its configuration prior to cleaning if the computer system is not able to boot utilizing the primary operating system.

The above is a brief description of some deficiencies in the prior art and advantages of the present invention. Other features, advantages, and embodiments of the invention will be apparent to those skilled in the art from the following description, drawings, and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustrating an example of a computer system that can be utilized to execute software of an embodiment of the invention.

FIG. 2 is a system block diagram of the computer system of FIG. 1.

FIG. 3 is a block diagram illustrating an embodiment of the invention.

FIG. 4 is a flowchart illustrating a process for defining a safe area for storing information on changes made during a virus cleaning operation.

FIG. 5 is a flowchart illustrating a process for returning a computer system to its earlier configuration if data is corrupted during the cleaning process.

Corresponding reference characters indicate corresponding parts throughout the several views of the drawings.

DETAILED DESCRIPTION OF THE INVENTION

The following description is presented to enable one of ordinary skill in the art to make and use the invention. Descriptions of specific embodiments and applications are provided only as examples and various modifications will be readily apparent to those skilled in the art. The general principles described herein may be applied to other embodiments and applications without departing from the scope of the invention. Thus, the present invention is not to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features described herein. For purpose of clarity, details relating to technical material that is known in the technical fields related to the invention have not been described in detail.

The system and method described herein are used to define a safe area on a storage device for recording changes made so that the changes can be reversed if needed for proper operation of the computer system. The changes may be made, for example, during a virus cleaning operation or during a system upgrade or patch. As described further below, the system defines a safe area within a storage device that can be safely accessed when the computer system is booted from a bootable disk (utilizing an operating system different from the normal operating system of the computer). The safe area includes information on how to recover the computer system if a cleaning operation results in changes to the computer that prevent it from booting from its normal operating system. The system may also be used to restore only a portion of the data if only some of the data was corrupted during the cleaning process.

Referring now the drawings, and first to FIG. 1, an example of a computer system that may be used to implement an embodiment of the present invention is shown and generally indicated at 20. The computer system 20 includes a display 22, screen 24, cabinet 26, keyboard 28, and mouse 30, which may include one or more buttons for interacting with a GUI (Graphical User Interface). Cabinet 26 houses a floppy or CD-ROM drive 32, system memory 42 and fixed storage 44 (see FIG. 2) which can be utilized to store and retrieve software programs incorporating computer code that implements aspects of the invention, data for use with the invention, and the like. Computer readable storage media include CD-ROM 34, floppy disk 38, hard drive 44, tape, flash memory, and system memory. Additionally, a data signal embodied in a carrier wave (e.g., in a network including the Internet) can be the computer readable storage medium.

FIG. 2 shows a system block diagram of computer system 20 used to execute software of an embodiment of the invention. Computer system 20 further includes subsystems such as a central processor 40, system memory 42, fixed storage 44 (e.g., hard drive), removable storage 46 (e.g., floppy or CD-ROM), display adapter 48, and network interface 54. Other computer systems suitable for use with the invention may include additional or fewer subsystems. For example, computer system 20 may include more than one processor 40 (i.e., a multi-processor system) or a cache memory.

The system bus architecture of computer system 20 is represented by arrows 58 in FIG. 2. However, these arrows are only illustrative of one possible interconnection scheme serving to link the subsystems. For example, a local bus could be utilized to connect the central processor 40 to the system memory 42 and display adapter 48. Computer system 20 shown in FIGS. 1 and 2 is only one example of a computer system suitable for use with the invention. Other computer architectures having different configurations or subsystems may also be utilized.

The computer system may be a stand-alone desktop computer as shown in FIG. 1 or a laptop computer, mainframe computer, or handheld device (e.g., personal digital assistant (PDA) or mobile phone), for example. The computer system may be a personal computer or configured for use as a server or other networked computer.

FIG. 3 is a block diagram illustrating one embodiment of the system of the present invention. As previously described, a safe area 70 is defined on a hard drive 44, or other suitable storage device (primary storage device) used to store executable programs, (primary) operating system 59, and data. The operating system 59 generally operates to control and manage the resources of the computer system. Execution of the operating system 59 is initiated upon turning the computer power on or resetting the computer. The operating system 59 is booted by execution of a portion of code stored in a boot sector on the hard disk drive 44. The boot code then calls the main operating system code. The hard drive 44 may have, for example, NTFS (New Technology File System) volumes including an NTFS volume boot sector. The system further includes a bootable backup disk 62 for booting the computer system 20 utilizing a backup (secondary) operating system 63, a virus scan application 64 for performing a virus scan of the hard drive, and a virus clean application 66 for cleaning infected files identified during scanning. It is to be understood that the bootable disk 62 may include the virus scanner 64 and cleaner 66 or these applications may be located on a separate disk. For example, one disk may be utilized to boot, scan, and clean, regardless of the type of operating system stored on the hard drive. In one embodiment, the virus scanning and cleaning applications 64, 66 are combined into an anti-virus program as described below.

A secondary storage device 46 (e.g., removable storage device such as floppy disk 38 (e.g., 720 kb low-density or 1.44 MB high density 3.5 inch diskette) or CD-ROM 34) is used to identify the location of the safe area on the hard drive 44. A backup repair disk 68, such as an Emergency Repair Disk (ERD) created by a backup utility is used to define the safe area 70 on the hard drive 44. The safe area 70 can be safely accessed when the computer system is booted from secondary operating system 63 and contains information on how to recover the computer system if the cleaning operation prevents the system from booting.

FIGS. 4 and 5 are flowcharts illustrating a process for defining the safe area 70 on the computer system and using data stored in the safe area to recover the computer system. The computer system is first booted using its normal operating system. Before a virus scan or clean operation is performed, the safe area 70 is defined on the hard drive 44 and the location is stored on the secondary storage device 46 (steps 80 and 82 of FIG. 4). A user may be prompted by a message on the display to insert appropriate disks as required. The emergency repair disk 68 (or other disk containing a suitable utility program) is used to create a new file for the safe area 70 on the hard drive 44. The new file is filled with content that forms a detectable pattern for each cluster allocated to that file. The file size may be a predetermined size or it may be set by the user or utility based on how much data is likely to be modified during a cleaning operation. After the safe area file is created on the hard drive 44, the user inserts the secondary storage device 46 (e.g., floppy disk) and the location of the safe area 70 and pattern used to initialize the area are recorded on the disk. After this information is stored on the disk 46, the user is displayed a message to remove the disk and boot the computer using the backup disk 62 (step 84).

After the computer system is booted utilizing the backup operating system 63, the hard drive 44 is scanned for viruses (step 86). Only a portion of the hard drive 44 may be scanned or the entire disk may be scanned. If the hard drive 44 is found to be clean, the user receives a message that no viruses were found and to restart the computer (steps 88 and 90). The computer is then booted as usual from its normal operating system 59. The computer may also be booted from its normal operating system automatically if no viruses are found. If a virus is found, the system checks to see if there is a safe area 70 defined on the hard drive 44 and if it is still available (steps 91 and 92). A message is displayed to the user requesting insertion of disk 46 containing the information on the location of safe area 70. The information is used to verify that the location of the safe area clusters is correct by comparing the information on the safe area 70 of the disk with the stored pattern on the secondary storage device 46. If the locations and patterns of the safe area 70 match those on disk 46, it is safe to write directly to the allocated sectors. If the safe area sectors are no longer available, the computer is booted while infected utilizing primary operating system 59, and a new safe area 70 is defined on the hard drive (steps 96 and 98). The new location and patterns of safe area 70 are stored on disk 46 (step 100) and the computer is booted with the backup disk 62 (step 102).

Once the safe area 70 is defined and the location and pattern information is stored on the secondary storage device 46, the cleaning process can begin (FIG. 5). At step 110, the cleaning operation is performed. Changes made to the hard drive 44 are saved to safe area 70 on the hard drive along with information on how to revert back to its configuration prior to the cleaning operation (step 112). The safe area 70 may include, for example, a record of the changes made, a copy of the original data and location on the disk 44, or a list of expected changes. This information is then used to return the hard drive 44 to its original configuration or to verify that the changes made will correct a problem when the system is booted to the primary operating system 59.

After the system is cleaned, the user is prompted to boot the system with its normal operating system 59 (step 114). If the computer system 20 restarts and all programs function properly, the process is completed (step 116). If the operating system does not boot correctly or does not boot at all, the computer is booted using the backup disk 62 (steps 116, 118, and 120). The secondary storage device 46 is inserted and the computer is returned to the state it was in prior to the cleaning process (steps 122 and 124). The user may receive a message informing him that the computer could not be cleaned without disrupting normal operation of the computer system. If the computer system boots but a file or program is not working properly, the specific file or program is restored to its pre-clean configuration (steps 118 and 126). Since the hard drive 44 knows where the safe area 70 is located, there is no need to insert the disk 46 to restore only files or programs to their pre-clean configuration. The computer system may display a message to the user that certain files or programs are still infected.

It is to be understood that the process described above and illustrated in FIGS. 4 and 5 is only one example and that a process may include additional or fewer steps, or the order of the steps may vary without departing from the scope of the invention. Furthermore, the method described herein may be used to restore a computer system to an earlier configuration regardless of the reason for changes to the storage device. For example, the changes may be made during an update to an application or program on the storage device or for any other reason.

The anti-virus program used to scan for viruses and clean infected data may be, for example, an application such as McAfee's VSHIELD, ACTIVESHIELD, SCAN NOW or VIRUSSCAN brand programs, or anti-virus applications described in U.S. Pat. No. 6,029,256, issued Feb. 22, 2000 or U.S. Pat. No. 6,035,423 issued Mar. 7, 2000, which are incorporated herein by reference in their entirety, or any other suitable anti-virus program. The anti-virus program may be accessed from a removable storage device or installed on the computer 20 by a disk or CD-ROM, or downloaded directly from the Internet, for example.

Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations made to the embodiments without departing from the scope of the present invention. Accordingly, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense. 

1-31. (canceled)
 32. A method comprising: defining a safe area on a primary storage device of a computer system, the primary storage device containing a primary operating system of the computer system; identifying changes made on the primary storage device following booting of the computer system; and recording the changes made on the primary storage device to the defined safe area.
 33. The method of claim 32, further comprising storing information on a secondary storage device, the information identifying the location of the safe area on the primary storage device.
 34. The method of claim 33, wherein the information includes a file with content forming a detectable pattern for each cluster allocated to the file.
 35. The method of claim 32, wherein the computer system is booted utilizing a backup device.
 36. The method of claim 35, wherein the bootable device includes a virus scanner and a virus cleaner.
 37. The method of claim 35, wherein the bootable device includes a secondary operating system and the computer system is booted utilizing the secondary operating system.
 38. The method of claim 32, further comprising storing, in the safe area, computer-readable instructions for recovering the computer system using the changes recorded in the safe area.
 39. The method of claim 32, further comprising running a malware scan of at least a portion of the primary storage device.
 40. The method of claim 39, wherein running the malware scan includes determining whether a safe area has been defined on the primary storage device.
 41. The method of claim 40, wherein a determination that a safe area has not been defined prompts definition of the safe area on the primary storage device.
 42. The method of claim 32, further comprising using data stored in the safe area to restore at least a portion of the primary storage device to an earlier configuration.
 43. The method of claim 42, wherein the earlier configuration is a configuration prior to cleaning the primary storage device of malware detected during a scan of the primary storage device.
 44. The method of claim 42, wherein restoring at least a portion of the primary storage device to the earlier configuration includes verifying availability of the safe area.
 45. The method of claim 44, wherein data identifying location of the safe area on the first storage device is stored on a secondary storage device, and verifying the availability of the safe area includes verifying presence of the safe area at the location specified by the data stored on the secondary storage device.
 46. The method of claim 44, wherein data identifying patterns of the safe area is stored on a secondary storage device, and verifying the availability of the safe area includes comparing the patterns of the safe area as stored on the secondary storage device with the patterns of the safe area on the first storage device.
 47. The method of claim 44, wherein determining that the safe area is not available prompts definition of a new safe area on the primary storage device.
 48. The method of claim 47, wherein defining the new safe area includes booting the computer system utilizing the primary operating system.
 49. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising: defining a safe area on a primary storage device of a computer system, the primary storage device containing a primary operating system of the computer system; identifying changes made on the primary storage device following booting of the computer system; and recording the changes made on the primary storage device to the defined safe area.
 50. A method comprising: identifying malware during a scan of a primary storage device of a computer system, the primary storage device including a primary operating system; removing the identified malware, wherein removal of the identified malware causes changes on the primary storage device; and recording the changes on the primary storage device in a predefined safe area on the primary storage device.
 51. The method of claim 50, further comprising determining that the safe area is defined prior to removing the identified malware.
 52. The method of claim 51, wherein defining the safe area includes storing data on a secondary storage device, the data identifying the location of the safe area on the primary storage device.
 53. The method of claim 52, wherein the data includes a file with content forming a detectable pattern for each cluster allocated to the file.
 54. The method of claim 52, wherein size of the safe area is determined based, at least in part, on predicted changes to the primary storage device responsive to the scan of the primary storage device.
 55. The method of claim 50, further comprising determining whether the computer system functions properly following removal of the identified malware.
 56. The method of claim 55, wherein determining whether the computer system functions properly following removal of the identified malware includes attempting to boot the computer system utilizing the primary operating system following the removal of the identified malware.
 57. The method of claim 55, wherein a determination that the computer system does not function properly following removal of the identified malware prompts a restoration of at least a portion of the primary storage device to a configuration prior to the removal of the identified malware.
 58. The method of claim 57, wherein restoring at least a portion of the primary storage device includes booting the computer system utilizing a backup operating system.
 59. The method of claim 57, wherein restoring at least a portion of the primary storage device includes reading a secondary storage device to identify a location of the predefined safe area on the primary storage device.
 60. The method of claim 50, wherein the computer system is booted from a backup operating system for the scan of the primary storage device.
 61. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising: identifying malware during a scan of a primary storage device of a computer system, the primary storage device including a primary operating system; removing the identified malware, wherein removal of the identified malware causes changes on the primary storage device; and recording the changes on the primary storage device in a predefined safe area on the primary storage device. 